You are here: Technician's functions > Agents > What you should know about agents

What you should know about agents

Agent installation

The agent can be exposed and identified if installed in environments with antivirus or in environments managed by expert technicians.

To prevent this from happening, a substitute, the scout agent, is sent at installation to installed the target device and check the environment.

Once installed, the scout agent appears in the target page after the first synchronization. Its icon, similar to the agent one, indicates the platform where it is installed. For example:

Evidence acquisition for installation environment analysis

After installation is completed, the scout agent acquires evidence:

Installation environment analysis

After the scout agent acquires evidence, it must be checked to decide whether the installation environment is safe for the agent.

If the environment is safe, the agent can be updated; the scout agent is replaced by the agent.

If the environment is not safe, the scout agent must be closed.

Updating the scout agent

Updating the scout agent installs the agent and the scout agent icon is replaced by the agent icon in the target page.

Agent synchronization

An agent will perform synchronization only if:

Offline and online agents

An agent behaves differently according to the Internet connection availability:

If the Internet connection is... Then...
not available

if the agent has modules enabled, it starts to record data in the device.

available

if first synchronization has been run on the agent, you can:

  • change settings, for example, as recording requests become more specific for that device. Resetting an agent does not change factory settings
  • update its software,
  • transfer files to and from the device,
  • analyze sent evidence

Tip: start creating an agent and only enable synchronization and the device module. Then, once installed, and upon receiving the first synchronization, gradually enable the other modules, according to the device capabilities and the type of evidence you want to collect.

 

Temporarily disabling an agent

Agent activities can be temporarily suspended without uninstalling the agent by simply disabling all the modules and leaving only synchronization active.

Agent testing

To test a configuration before production use, create an agent in Demo mode (see "Compiling a factory").

The agent is created in demo mode, behaving according to the given configuration, with the sole difference that it clearly signals its presence on the device (with audio, led and screen messages). Signaling permits easy identification of an infected device used for testing.

NOTE: in case evidence is not received from an agent in demo mode, this may be due to a server settings error or impossibility of reaching the address of the set Collector (i.e.: due to network settings problems).

Agent configuration

Agent configuration (basic or advanced) can be repeatedly edited. When saved, a copy of the configuration is created and saved in the configuration log.

At the next synchronization, the agent will receive the new configuration (Sent time) and communicate successful installation (Activated). From that point on, any changes can only be made by saving a new configuration.

NOTE: If Sent time and Activated are null, the current settings can still be edited.

For a description of agent configuration log data see "Agent configuration log data".

 

RCS8.2 | User's and Installation Guide | © COPYRIGHT 2012